Computer-aided diagnosis (CAD) using computer vision (CV) methods, particularly deep convolutional neural networks (CNNs), has shown promise in medical imaging. CNNs have achieved performance comparable to experts in various diagnostic tasks. However, a significant challenge is the vulnerability of standardly trained deep learning models to adversarial attacks, where subtle image manipulations can drastically alter predictions. This vulnerability poses a risk in clinical settings where malicious actors could manipulate images for fraudulent purposes (e.g., insurance claims or drug approvals). Clinicians also require model transparency to trust and accept CAD systems. Existing methods, such as feature and attribution visualization (CAM, GradCAM), offer partial solutions but don't directly address the robustness issue. Adversarial training offers a potential solution by making models robust to these attacks and improving interpretability. However, previous research has indicated a trade-off between accuracy and robustness in adversarially trained models. This research aims to address this trade-off and investigate if adversarially trained models can achieve both high accuracy and improved interpretability in medical imaging.

The paper reviews existing literature on adversarial attacks in computer vision and their implications for medical imaging. It highlights the vulnerability of standardly trained models to adversarial perturbations, even those imperceptible to the human eye. The authors discuss existing explanation techniques such as CAM and GradCAM, acknowledging their limitations in addressing model robustness. They also mention previous research showing a potential trade-off between accuracy and robustness in adversarially trained models. The authors position their work within this context, aiming to overcome the accuracy limitations associated with adversarial training.

The study uses three medical imaging datasets: CheXpert (chest X-rays), Luna16 (CT scans of lung tumors), and Rijeka knee MRI. A ResNet-50 architecture was used. The authors employed adversarial training, using the Madry et al. approach to minimize expected adversarial loss by incorporating adversarial examples during training. They compared the performance of standardly trained models, adversarially trained models with a single batch normalization (BN), and adversarially trained models with dual batch normalization (one for real images and one for adversarial images). The performance metrics included Area Under the Receiver Operating Characteristic Curve (ROC-AUC), precision-recall curve, sensitivity, and specificity. Six radiologists independently rated the interpretability of saliency maps generated by the different models using a 0-5 scale (0: no correlation to 5: clear correlation between pathology and saliency map). Linear Centered Kernel Alignment (CKA) was used to analyze the similarity between layers in the different models' representations. The study also included an external validation set (ChestX-ray8) to assess the generalizability of the models. Statistical analysis involved bootstrapping to estimate confidence intervals and the Friedman test to compare the radiologist ratings.

The study found that adversarially trained models were significantly more robust to adversarial attacks than standardly trained models (Fig. 1). While adversarially trained models with a single BN showed reduced accuracy compared to standard models on limited datasets (Fig. 2), this performance gap significantly decreased with larger datasets. Critically, using dual batch normalization eliminated the accuracy gap, yielding performance comparable to standard models even on smaller datasets (Fig. 2). Radiologists rated the saliency maps generated by adversarially trained models with dual BN as significantly more interpretable and clinically useful than those from standard or single BN models (Fig. 5, Table 1). This improved interpretability is not simply due to increased data augmentation, as shown by comparing adversarial training with random noise augmentation (Supplementary Fig. 4). The CKA analysis revealed that adversarial training with a single BN led to increased similarity between network layers, suggesting a reduction in network complexity. In contrast, dual BN maintained complexity while preserving robustness. The external validation on ChestX-ray8 dataset confirmed that the adversarially trained models with dual BN generalized well to unseen data, performing similarly to standard models, with some exceptions attributed to distribution shifts between the datasets (Fig. 4).

The study successfully demonstrates that the perceived trade-off between robustness and accuracy in adversarial training can be overcome by using sufficiently large datasets and dual batch normalization. This finding has significant implications for the clinical deployment of deep learning models. The improved interpretability of adversarially trained models, as evidenced by the radiologists’ ratings, addresses a critical concern regarding the ‘black box’ nature of deep learning models, fostering trust and potentially enhancing clinical adoption. The results highlight the importance of considering the specific training approach and dataset size when developing and evaluating robust models for medical applications. While the study primarily uses 2D images, future work should investigate the applicability of these findings to higher-dimensional data.

This research shows that adversarially trained models with dual batch normalization achieve comparable diagnostic performance to standard models while offering superior interpretability and robustness. The use of dual batch normalization is crucial to avoid the accuracy drop often seen in adversarial training. These findings suggest that adversarially trained models can be valuable tools in clinical practice, promoting both accurate diagnoses and clinician trust. Future studies should explore the application of these methods to 3D and 4D medical imaging data.

The study primarily focuses on 2D medical images; the generalizability to 3D and 4D data warrants further investigation. While the improved interpretability is demonstrated through radiologist ratings, the direct impact of these saliency maps on diagnostic accuracy and clinical outcomes requires further research. The sample size of radiologists involved in the interpretation study could be considered a limitation for broader generalization. Dataset biases might impact the generalizability of the results, though an external validation dataset was included.